Hello, yes, altough i personally never used HEADS productive, ive set it up, the last time is quite some time ago tough. I remember i had to troubleshoot quite a bit.
About petitboot, i just started to look into it myself, so i wont be
much help there probably, what exactly are you trying to achieve?
I will send you a grub.cfg which is working tomorrow morning, you will
have to edit /adjust it tough.(either change the uuid in the config file
ore the uuid of /boot )
I used kernelsigning, but i wasnt to happy with it in the long run, for
usability, 2fa with one partition or /boot and /root encrypted so far
is the best , we use it every day.
Talking about usability, i highly recommend to add SEAbios as a
secondary payload, at least if you want to boot live-usb from time to time.
cheers
On 9/18/18 3:20 PM, get wrote:
> вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder
> написал:
>> yes its possible, do you want to encrypt /boot and /root separately so
>> you will need a different password for each partition, or do you want to
>> encrypt it all together with 2fa etc?
>>
>> The first one is relatively easy, you will have to modify the grub.cfg
>> of your coreboot image.Also, the uuid will have to match, you can either
>> do a "normal" install and change the uuid in the grub.cfg, or change the
>> uuid of /root.
>>
>> check out the libreboot-side, there should be all the necessary
>> information. I will write a tutorial some day.
>>
>> cheers
>>
>>
>> On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote:
>>
>>> get:
>>>> FDE in my understanding this is a scheme partition look like
>>>>
>>>> sda 8:0 0 99999,9G 0 disk
>>>> └─sda1 8:1 0 99999,9G 0 LUKS
>>>> └──luks-<UUID> crypt
>>>> ├─qubes_dom0-boot lvm /boot (encrypted)
>>>> ├─qubes_dom0-swap lvm [SWAP] (encrypted)
>>>> └─qubes_dom0-root lvm / (encrypted)
>>>>
>>>> FDE = cryptsetup whole disk (including /boot). Not only root partition.
>>>> Anaconda can't do it by default. Installation success only with grub
>>>> missing.
>>>> OS research HEADS can't kexec into FDE disk.
>>>>
>>>> Is it only possible to boot from grub2 coreboot ?
>>>>
>>>> cryptomount -a
>>>> set root='hd0,msdos1'
>>>> linux=... vmlinuz=...
>>>>
>>>> I have been trying to do the coreboot firmware for a month already
>>>> to get a load of Qubes with full disk encryption (including /boot). Is it
>>>> possible? Can anyone help me ?:)
>>> I've seen others on this list report it as successful, but haven't done
>>> it myself. I think they had to use the Seabios payload for the initial
>>> install, then switch to coreboot's grub2. Afraid that's about all I know...
>>>
>> --
>> Kind Regards
>> Jonathan Seefelder
>> CryptoGS IT-Security Solutions
> Hi, Jonathan Seefelder.
>
> I'm looking for different ways of how to encrypt the whole disk (include
> /boot) and load it using coreboot modifications.
>
> I know how to load this way Parabola FDE (include /boot)
>
> menuentry 'Linux-libre kernel' {
> cryptomount -a (ahci0,msdos1)
> set root='lvm/matrix-rootvol'
> linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol
> cryptdevice=/dev/sda1:root
> initrd /boot/initramfs-linux-libre.img
> }
>
> Is the same method for xen?
>
> Did you try Heads/Petitboot?
>
> https://www.raptorengineering.com/content/kb/1.html
> https://github.com/osresearch/heads
>
> Did you try to add
> https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
>
> Did you try add gpg keys?
>
> Thanks.
>
--
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6e9da4fd-befb-24cc-b8e3-ad52f1756c03%40seefelder-web.de.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
